Risk Assessment Preparation |
A) Determine the objectives of the risk assessment; |
Identify existing information systems and management deficiencies, as well as possible risk exposures, in accordance with the requirements for security, legal and regulatory requirements for the sustainable development of the Organization's business. |
b) Determine the scope of the risk assessment; |
The scope of the risk assessment may be the organization of all information and the various types of assets, regulatory agencies, and possibly a single |
Business processes, systems or departments related to customer IP. |
c) The establishment of appropriate assessment management and implementation team; |
Risk assessment Implementation Team, comprising management, related business backbone, it technology and other personnel to form a risk assessment team. If necessary, you can set |
The risk Assessment leadership group, which is attended by the assessor, the leader of the evaluation party and the relevant department heads, hires the relevant professional technical experts and |
Technical backbone composed of expert groups. |
The evaluation and implementation Team shall prepare the pre-assessment forms, documentation, testing tools and other preparation, conduct risk assessment and technical training, and |
Confidential education, to develop risk assessment process management related provisions. The Parties may, upon request of the assessed party, sign a confidential contract |
Confidentiality agreements. |
d) Conduct systematic research; |
A) Operational strategy and management system; |
b) The main business functions and requirements; |
c) Network structure and network environment, including internal connection and external connection; |
d) system boundaries; |
e) The main hardware, software; |
f) data and information; |
g) sensitivity to systems and data; |
h) Personnel who support and use the system; |
i) other. |
e) Determine the basis and method of assessment; |
A) Existing international standards, national standards, industry standards; |
b) The requirements and systems of the business systems of the competent authorities of the industry; |
c) system security level requirements; |
d) Security requirements for interconnected units of the system; |
e) Real-time or performance requirements of the system itself. |
f) Develop risk assessment programmes; |
A) Team organization: Including assessment of team members, organizational structure, roles, responsibilities and other content; |
b) Work plan: The work plan at all stages of the risk assessment, including the contents of the work, the form of work and the results of the work; |
c) Time schedule: Time schedule for project implementation. |
g) Get top management support for risk assessment work. |
|
Asset identification |
Asset classification |
Types of data, software, hardware, services, people, other (corporate image, customer relationship, etc.) |
Asset Assignment Value |
Confidentiality Assignment Integrity Assignment availability Assignment asset importance level |
Threat identification |
Threat classification |
Hardware and software failure physical environment Impact No act or operation error management not in place malicious code ultra vires or misuse network attack physical attack leak tampering repudiation |
Threat Assignment |
A) Statistics of threats and their frequency in previous security incident reports; |
b) Statistics of threats and their frequencies detected in the actual environment through detection tools and various logs; |
c) Threats and frequency statistics issued by international organizations for the entire society or industry in the past one or two years, and the threat |
Police. |
Identification of vulnerability |
Vulnerability Identification Content |
Technical fragility: Physical environment network Structure system software application Middleware Application system |
Management vulnerability: Management of technical management organizations |
Questionnaires, tool testing, manual verification, document inspection, penetration testing |
Vulnerability Assignment |
The degree of exposure of the asset, the degree of difficulty in the implementation of the technology, and the degree of popularity |
Existing security measures confirmed |
|
Security measures can be divided into preventive security measures and protective measures of security. Preventive security measures can reduce the threat of use of vulnerability |
Security incidents, such as intrusion detection systems, and protective security measures to reduce the risk of |
The impact of the system. |
Risk analysis |
Principles of risk calculation |
Risk value =r (a,t,v) = R (L (t,v), F (Ia,va)) matrix method and phase multiplication |
Risk result Determination |
Risk can be divided into five levels, the higher the level, the higher the risk |
Risk management Plan |
Security measures, expected effects, conditions of implementation, schedule, responsible departments, etc. that should be explicitly taken in the risk management plan |
Residual risk assessment |
|
Risk Assessment Document Records |
Evaluation process documentation and evaluation results documents resulting from the entire risk assessment process |
A) Risk assessment programme: To describe the objectives, scope, personnel, assessment methods, the form of evaluation results and the progress of implementation of the risk assessment; |
b) Risk assessment procedures: Identify the purpose, responsibilities, processes, relevant documentation requirements of the assessment, and the various assets, threats, vulnerability identification and judgment bases required for the implementation of this assessment; |
c) Asset Identification checklist: Asset identification According to the asset classification method identified by the organization in the risk Assessment procedure document, forming an asset identification list, identifying the responsible person/department of the asset; |
d) A list of important assets: an inventory of important assets, including key asset names, descriptions, types, importance levels, responsible persons/departments, based on the results of asset identification and assignment; |
e) Threat list: A list of threats, including threat names, types, sources, motivations, and frequency of occurrence, based on the results of threat identification and assignment; |
(f) List of vulnerabilities: A list of vulnerabilities, including the name, description, type and severity of specific vulnerabilities, based on the results of vulnerability identification and assignment; |
g) Confirmation form of safety measures: the formation of the existing Safety check form, including the name, type, function description and effect of the security measures, according to the results of the safety measures taken; |
h) Risk Assessment Report: A summary of the overall risk assessment process and results, detailing the subjects assessed, risk assessment methodologies, assets, threats, vulnerability identification results, risk analysis, risk statistics and conclusions; |
i) Risk management plan: Develop a risk management plan for unacceptable risks in the evaluation results, select appropriate control objectives and security measures, identify responsibilities, schedules, resources, and identify the sex of the selected safety measures by evaluating the residual risk; |
j) Risk Assessment records: According to the risk assessment procedure, various field records in the risk assessment process are required to reproduce the assessment process and serve as a basis for resolving problems after ambiguity. |